ASP.NET Core 5.0 - FIDO2 Credential Devices

This article will describe the FIDO2 devices I used to develop the Users Without Passwords Project (UWPP). I will assume you have downloaded the ASP.NET Core 5.0 - Users Without Passwords Project.

The user must possess at least one FIDO2 authenticator to register and log in. Windows Hello implements authentication with an IR webcam for facial recognition, a fingerprint scanner, or just by setting up and using a PIN. See Learn about Windows Hello and set it up.

Project Evolution

I have been researching this project for over a year. When I started, I just wanted to register a user and then login with a device. With the help of GitHub - scottbrady91/Fido2-Poc and my first yubico security key, I developed an ASP.NET Core 3.1 Razor Pages project which registered and authenticated a user without a password.

My next objective was to implement multiple credentials and credential management per user. At the time, my second FIDO2 device was Windows Hello. The yubico security key uses Elliptic Curve cryptography and Windows Hello uses RSA cryptography. With the help of GitHub - abergs/fido2-net-lib I implemented RSA cryptography.

After I purchased a HyperFIDO Titanium PRO key and a second yubico key, I started tracking the device's AAGUID which stands for “Authenticator Attestation Globally Unique ID”. I had issues trying to store and verify the signature counter. The signature counter should increment with each authentication. I published that version of the project to fido.kenhaggerty.com and emailed HyperFIDO support including the AAGUID asking for help. The kind folks at Hypersceu analyzed the published project and replied letting me know I was not decoding big-endian values properly. Even the AAGUID which is big-endian didn't match. I was embarrassed but thankful I had not released that version.

I have 2 yubico keys with NFC (Security Key NFC), a HyperFIDO Titanium PRO and a HyperFIDO PRO MINI. My laptop has a fingerprint scanner which works with Windows Hello. I even bought an IR webcam to test facial recognition. Probably my most useful device is a male micro USB to female USB adapter because my phone doesn't have NFC.

Works with FIDO2 Devices

Instead of debugging Web Authentication in your website or app with physical authenticators, use the WebAuthn tool in Microsoft Edge DevTools to create and interact with software-based virtual authenticators. See Emulate authenticators and debug WebAuthn in Microsoft Edge DevTools.

Dev Tools (F12) has a WebAuthn tab where you can enable the virtual authenticator environment then create virtual authenticators.

When you register a user or add a new user credential with a virtual authenticator, the credential id is listed. The signature count updates with each login. The credential ids do not persist if the environment is disabled then enabled or Dev Tools is closed then opened. You can export a credential as a pem file but I have not found a way to import the credential.